Re: CA voting bill we're drafting

I largely agree with Mr. Johnson's comments, but think we need to go
farther. Here's what I think we need.

-R

------
1. The bill should require the full procedure for publication of all
sources (including firmware, hardware schematics, bills of materials,
etc.), review, incorporation of comments, production of the final
version (with appropriate checksums), and verification via public build
and checksum comparison.

This implies, of course, that all source must reasonably be buildable
and checksum-able by the public, which implies that it may not use
proprietary build systems, compilers, linkers, etc. â€“ and that it must
refrain from using expensive ones (e.g., Rational Rose), too. Also the
vendor must provide full instructions so that any reasonably-competent
software engineer can download the source, buy the tools, build
everything, compute the checksums, and compare them without undue
expense or delay.

Also, all sources must be published long enough before deployment to
allow useful public review.

2. The bill should require that the vendor incorporate reasonable
security-related comments. This will have to be mediated by a review
board; letâ€™s call it the California Elections Integrity Board. This
Board should have a small number (say 5) of technically-versed voting
members and a technical advisory group. The bill should prohibit any of
these people from having ties to vendors.

3. The bill should prohibit any use of equipment (software, firmware, or
hardware) of any kind that have not undergone the required review, and
there should be criminal penalties for violations.

4. If a fatal bug is discovered near an election that would require
unreviewed patches, the jurisdiction must conduct the election using
another certified system or by the use of hand-filled, hand-counted
paper ballots (with assistance available for the disabled). If a fatal
bug is discovered during an election, the election must be voided and
re-run in the affected jurisdictions using another certified system or
hand-filled, hand-counted paper ballots.

5. The bill must proscribe all NDAs. Even pre-purchase NDAs are
problematic because they actively prevent public review until the
jurisdiction has committed itself to lease or buy the machines. At that
point, the officials whoâ€™ve leased or bought have put their reputations
on the line, and will find it very difficult to reverse themselves,
irrespective of what the public finds during its review. Essentially
theyâ€™d have to be heroes to do the right thing.

Voting systems do not use rocket science, and secrecy surrounding them
serves no useful competitive purposes. And even if it did, those
purposes are heavily outweighed by the need to ensure electionsâ€™
integrity. Vendors are not just selling stuff, theyâ€™re acting as
fiduciaries for a vital public trust. Therefore the bill should require
that all source code (including firmware source, FPGA programs, ASIC
code) and all hardware design information (including schematics, bills
of materials, etc.) be made public (and easily-accessible on the web)
concurrently with any bid.

California has the power to create a revolution in how voting systems
are produced and supervised. Letâ€™s take the bull by the horns and fully
open these systems.

6. The bill should require that all software be loaded only from a
CD-ROM or other write-once media so that the public actually can
supervise what these machines are running. The bill also needs to
establish a public right to examine the media before use, including
computing the appropriate checksum and witnessing the installation and
locking of the media into the machine and the machineâ€™s placement into
service.

7. The bill should mandate a complete random-inspection regimen
administered in a manner similar to how the Nevada Gaming Control Board
supervises electronic slots. This should be another duty of the
California Elections Integrity Board (see item 2), and should include
the right to go into any jurisdiction at any time, take any machine, and
rip it to shreds to search for unauthorized anything. The Board should
also have the power to issue subpoenas to vendors for any missing
information. And the bill should provide compensation to jurisdictions
for machines taken out of service.

We really need this regimen. COTS certifications are not enough. A
vendor crooked enough to attempt to steal an election will think nothing
of falsely certifying the use of unmodified COTS components. And without
a rigorous, mandatory random inspection regimen, the chances of catching
such a vendor are very small.

8. The bill should require parallel testing (again, administered by the
California Elections Integrity Board) in every election in a
statistically-significant, randomly-selected set of precincts in every
jurisdiction. And â€œrandomly-selectedâ€